chromium/third_party/blink/web_tests/external/wpt/html/cross-origin-opener-policy/coop-navigate-same-origin-csp-sandbox.html

<script src=/resources/testharness.js></script>
<script src=/resources/testharnessreport.js></script>
<script src="/common/get-host-info.sub.js"></script>
<script src="/common/utils.js"></script>
<script src="/common/dispatcher/dispatcher.js"></script>
<script src="./resources/common.js"></script>
<script>

const executor_path = '/common/dispatcher/executor.html?pipe=';

const https_origin = get_host_info().HTTPS_ORIGIN;
const coop_same_origin =
    '|header(Cross-Origin-Opener-Policy,same-origin)';
const csp_sandbox =
    '|header(Content-Security-Policy, sandbox allow-scripts)';

promise_test(async test => {
  const driver_token = token();

  // 1. Start from a COOP:same-origin document.
  const opener_token = token();
  const opener_url = https_origin + executor_path + coop_same_origin +
    `&uuid=${opener_token}`;
  const w = window.open(opener_url);
  add_completion_callback(() => w.close());

  // 2. It opens a popups, and then navigates the popup toward a same-origin
  // COOP:same-origin document with CSP:sandbox
  const openee_token = token();
  const openee_url = https_origin + executor_path + coop_same_origin +
    csp_sandbox + `&uuid=${openee_token}`;
  send(opener_token, `
    openee = window.open("${openee_url}");
  `);
  add_completion_callback(() => send(openee_token, "close()"));

  // Because of CSP:sandbox, the popup is not considered same-origin with
  // its openee. Check the openee/opener relationship is now closed.
  send(openee_token, `
    if (opener)
      send("${driver_token}", "Error: have opener");
    else
      send("${driver_token}", "Success: no opener");
  `);
  assert_equals(await receive(driver_token), "Success: no opener");

  // Technically, the opener's "openee" WindowProxy should appear as closed at
  // this time. The popup loaded a new document, and at least two fetch requests
  // were made. This is more than enough. However, in theory, there is nothing
  // to guarantee we can observe "openee.close". Wait a bit to ensure this will
  // never flake.
  await new Promise(r => test.step_timeout(r, 1000));

  send(opener_token, `
    if (openee.closed)
      send("${driver_token}", "Success: openee closed");
    else
      send("${driver_token}", "Error: can still access openee");
  `);
  assert_equals(await receive(driver_token), "Success: openee closed");
});

</script>